Security Incidents mailing list archives
Re: DoS attacks using ports 31800, 31900 ?
From: "Deapesh Misra" <deapesh () gmail com>
Date: Tue, 6 Feb 2007 10:36:33 -0500
On 2/2/07, David Gillett <gillettdavid () fhda edu> wrote:
A certain amount of the packets that arrive at our gateway are blowback, remote hosts responding to traffic where an address in our block was forged as the source. These are most often ICMP Port Unreachables generated by UDP Windows Messenger spam, with SYN-ACKs from port 80 running a distant second. Within the last 24-48 hours, I've noticed something new: significant numbers of SYN-ACKs from port 31800, and a smaller number from 31900, from less than a dozen addresses scattered around the Internet. None of those addresses has yet resolved via rDNS.
<SNIP>
IP Address Port Count 60.31.208.10 31800 3100 60.190.108.57 31800 3500 60.191.0.2 31800 26 late start 61.142.160.181 31800 4200 124.243.201.171 31800 3100 125.64.16.79 31800 4500
<SNIP>
David Gillett
It is interesting to note that all these IP addresses are located in the same country -China. If you look at the port report for port 31900 from ISC SANS, it shows a peak in the same date range you saw this happen: http://isc.sans.org/port.html?port=31900 _____________________________ -Deapesh Misra
Current thread:
- DoS attacks using ports 31800, 31900 ? David Gillett (Feb 02)
- Re: DoS attacks using ports 31800, 31900 ? Deapesh Misra (Feb 06)